PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

Similar presentations

Presentation on theme: "PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,"— Presentation transcript:

3
A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” AND –Must be disclosed to any resident of the state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. What is a Breach?

4
The Department of Health Care Services (DHCS) investigates all alleged breaches reported by its employees, staff of its business associates, individual program beneficiaries or other persons and will work to resolve the issues raised in order to safeguard individuals' confidential information and improve the DHCS business systems and practices. The Privacy Officer determines the appropriate level of response to mitigate potential harm and corrective action necessary when the DHCS is made aware of a privacy breach. Privacy Investigations

7
LEGISLATIVE HISTORY Senate Bill 1386 (Peace; Chapter 915, Statutes of 2002) otherwise known as the California Security Breach Notification Act requires state agencies and other entities that maintain personal information in computerized form to notify residents of California in the event of an unauthorized acquisition of computerized data. California Anti-Identity Theft Law (Civil Code section 1798.29)

9
California law requires the notice be made “in the most expedient time possible and without unreasonable delay.” Time may be allowed for needs of law enforcement, if the notification would impede a criminal investigation Timing

12
Free Credit Report One of the best ways to protect from identity theft is to monitor your credit history. The federal Fair Credit Reporting Act (FCRA) requires the nationwide credit reporting agencies to provide a free copy of their credit report upon request every 12 months. You may obtain your free copy of your credit report by: –Calling toll free at: 1-877-322-8228 –The three credit bureaus have set up one central website at: https://www.annualcreditreport.com/cra/index.jsp. Note: beware of other sites that may offer “free” credit reports that may charge for other products. Free Credit Report

13
Fraud Alerts! Civil Code Section 1785.11.1 SB 168 (Bowen; Chapter 720; Statutes of 2001) established fraud alert to warn banks/potential creditors that person may be victim of Identity Theft. –Requires credit bureau fraud/security alert within 5 business days of consumer request at no cost to consumer. –Contact three credit reporting agencies: Equifax, Experian, and Trans Union at toll-free number available 24/7. –Fraud alert lasts 90 days with right to request a renewal. –Business must take reasonable steps to verify identity of consumer by contacting consumer before extending credit Fraud Alerts (Civil Code section 1785.11.1)

14
Credit Freeze Civil Code Section 1785.11.2 Fraud alerts may be ignored by some creditors. To further guard against identity theft, California law allows consumers to place a security “freeze” so the credit file cannot be shared with potential creditors. –No cost with a police report filed for victim of identity theft, otherwise $10 for each credit bureau ($30). –Freeze may be lifted to obtain credit with a specific creditor while the freeze is in place. –Credit bureau must respond within three business days. –Credit freeze is in place until consumer requests that it be removed. –Freeze may be temporarily lifted by a consumer. Credit Freeze (Civil Code section 1785.11.2)

15
American Recovery and Reinvestment Act of 2009 (AARA); H.R. 1; Public Law 111-5; Signed into law by President Obama on 2/17/09 Title XIII of AARA, under provisions of the HITECH ACT, Subtitle D: Privacy – Sec. 13402 entitled, “Notification in the case of Breach” contains new privacy breach notification requirements for covered entities under HIPAA: –Requires notification within 60 days for a privacy breach involving HIPAA covered PHI. –Requires notification to the U.S. Department of Health & Human Services and media outlets for privacy breaches impacting 500 or more individuals. –Breaches of less than 500 must be logged and provided to HHS annually. –Authorizes state attorney generals to bring suit for HIPAA violations. Federal Stimulus Bill Includes New Mandatory Breach Notifications